Upload
others
View
20
Download
1
Embed Size (px)
Citation preview
recon/OSINT[OpenSourceIntelligence]
TRAVERSINGDOWNTHERABBITHOLE
EricHart--CreditSuisse
INTELLIGENCEGATHERINGANDRECONNAISSANCE
Ifyoudon’tknowwhereyou’regoinganyroadwillgetyouthere.
EricHart--CreditSuisse
ManyCommuniMes|OnePurpose
• Governments
• IntelligenceCommuniMes
• ArmedForces
• HomelandSecurity
• LawEnforcementAgencies
• Businesses
EricHart--CreditSuisse
ManyGoals|OnePurpose• GatherasmuchinformaMonaspossiblefromallavailablesourcesandanalyzingittodoonething:
• ProduceAc*onableIntelligence*
EricHart--CreditSuisse
*pentest-standard.org
AllroadsleadtoNirvana…ordothey?
EricHart--CreditSuisse
INTELLIGENCETHEORY
• IntelligenceistheulMmateparadox
• AssumpMonsmustbeexplicit
• Intelligencecanproducebenefitsandcanalsobeharmful
• Intelligencecannotbepredicted,onlyrecommended
• Intelligencecanproduceunintendedoutcomes
OxfordHandbookofNaMonalSecurityIntelligence–Dr.PeterGill
EricHart--CreditSuisse
INTELLIGENCETHEORY
• TheCriMcalRealistApproach• CausaMonthroughinteracMonbetweenactorsandstructures• Processescannotbeobserved• Evidenceshouldbetestedagainstthehypotheses|applicaMonofalternaMvetheoriesandmodels
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
EricHart--CreditSuisse
INTELLIGENCETHEORY
• Intelligenceisasubsetofsurveillance• Theheartofriskmanagementcombinesknowledgeandpower
EricHart--CreditSuisse
IntelligenceAc*vi*esTargeMngCollecMonAnalysisDisseminaMonAcMon
POWER
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
INTELLIGENCETHEORY
• DefensiveSurveillancevsIntelligence
• DefensiveSurveillance=Risk• Intelligence=Threats
EricHart--CreditSuisse
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
INTELLIGENCETHEORY
• FourTypesofKnowledgeandPower
• Certainty–outcomesareknown,clarityofpreferenceisneeded• Risk–benefitsandadverseeffectsareknown,probabilityofvariousoutcomes
• Uncertainty–Possibleoutcomesareknown,nowaytoesMmateprobability
• Ignorance–cannotanMcipateadverseeffects,magnitude,relevanceandprobabilityareunknown
EricHart--CreditSuisse
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
KNOWLEDGE
POWER
INTELLIGENCETHEORY
• WhatisIntelligenceorOSINT?• [Art+Craa+Science+Capability(read:DomainKnowledge]–RichardsJ.Heuer
TheTaoofOpenSourceIntelligence–StewartK.Bertram
EricHart--CreditSuisse
• OSINT|FourconceptsorFourLayeredApproach
• MulMlayered
• Cybergeography• MixedMedium
• Tangibility
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
• MulMlayered• SurfaceWeb
• CommonKnowledge**caveatemptor–GoogleisNOTtheinternet• GenerallynotsensiMvedata• Availableviamainstreambrowsers
• DeepWeb• Notindexedbymainsearchengines• CannotbereadbyconvenMonaltechnology• InformaMononindividualsislocatedherebutnoteasilyaccessible
• DarkWeb• Accessedbyanonymizedmethods(TOR)• OaenusedforcriminalacMviMes
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
• CyberGeography• Regionbased
• Anglophone• Russophone• Etc.
• DividedlinguisMcally• Knowingonlyonelanguagediminishessuccess
• Beware‘single-sourceintelligence’
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
• MixedMedium• Notsingle-sourced• ComplexcombinaMonofsearchanddisplaytechnologies
• Eachcomponentrequiresauniquesetoftechniquestomaster
• RisksandoperaMonalrequirementsmustbeevaluatedbeforebeingputintouse
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
• Tangibility• ‘Realworld’vstheInternet• Importancetothehumanexperience?• Relevancetobasicneeds,eg.stableelectricityandcleanwater
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
ELEMENTSOFOSINT
• OSINT–4Elements• Uncovering• DiscriminaMon• Refining• Delivering
InfosecInsMtute
EricHart--CreditSuisse
4Elements|SMllonepurpose:ProduceAcMonableIntelligence
ELEMENTSOFOSINT
• OSINT–Uncovering• Whoknowsaboutthedata?• Wheredowelook?• Whichdataisappropriate• LeveragedistributedexperMseandknowledge
InfosecInsMtute
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OSINT–DiscriminaMon• Disseminatebetweenthegoodandthebad• Eliminatetheoutdatedandirrelevant
InfosecInsMtute
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OSINT–Refining• Assemblingthefinaloutput• Lengthdependsuponrelevantdata
InfosecInsMtute
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OSINT–Delivery• MustbegiveninproperMme• Formathastobeclearandeasilyunderstandable
InfosecInsMtute
EricHart--CreditSuisse
ELEMENTSOFOSINT • OSINT–amaturitymodel• Corporate• Individual• CovertGathering• FootprinMng• IdenMfyProtecMonMechanisms
• 3LevelsofInformaMonGathering• Level1|Compliance• Level2|BestPracMce• Level3|StateSponsored
www.pentest-standard.org
EricHart--CreditSuisse
OSINTFRAMEWORK
EricHart--CreditSuisseEricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBeginsPhase2:DuringDefiniMonandDesignPhase3:DuringDevelopmentPhase4:DuringDeploymentPhase5:MaintenanceandOperaMons
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBegins1.1:DefineaSDLC1.2:ReviewPoliciesandStandards1.3:DevelopMeasurementandMetricsCriteriaandEnsureTraceability
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase2:DuringDefiniMonandDesign2.1:ReviewSecurityRequirements2.2:ReviewDesignandArchitecture2.3:CreateandReviewUMLModels2.4:CreateandReviewThreatModels
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase3:DuringDevelopment3.1:CodeWalkThrough3.2:CodeReviews
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase4:DuringDevelopment4.1:ApplicaMonPenetraMonTesMng4.2:ConfiguraMonManagementTesMng
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase5:MaintenanceandOperaMons5.1:OperaMonalManagementReviews5.2:PeriodicHealthChecks5.3:EnsureChangeVerificaMon
www.owasp.org
EricHart--CreditSuisse
ELEMENTSOFOSINTdigital-forensics.sans.org
EricHart--CreditSuisse
IPAddresses
DomainNames
Network/HostArMfacts
Tools
TTPs Tough!
Challenging
Annoying
Easy
Trivial
CollecMveIntelligenceFramework
collecMveintel.net• REN-ISACproject• PullsinfeedofIOC’sfrompublicandprivatesources
• Focusesonlowerendof“pyramidofpain”• Exportsdatatoinfrastructureorsupportslookupduringresponse
EricHart--CreditSuisse
FrameworkandMethodologyComparison ProgramObjec*vesUsedforComparisonCriteria
FrameworkorMethodology
SponsoringOrganiza*on
ProgramStructure ControlBaseline RiskTriage RiskBusinessCase
COBIT5 ISACA 4 2 0 0DSS PCI 0 2 0 0FAIR TheOpenGroup 0 0 2 4IRAM2 ISF 3 0 2 2ISO27000x ISO 4 1 0 0ISO31000 ISO 2 0 0 0SANS-20 CSC 0 3 0 0SP800-30 NIST 2 4 2 2SP800-53 NIST 1 4 1 0UCF UnifiedCompliance 0 3 0 0
HarveyBallfillpercentageindicatesrelaMvestrengthwithineachprogramobjecMvefromnone(0)tostrong(4).
GartnerResearch
AFrameworkisjustaguideline SoisOSINT
EricHart--CreditSuisse
!
APPENDIX
Sources:pentest-standard.orgOxfordHandbookofNaMonalSecurityIntelligenceTheTaoofOpenSourceIntelligenceInfosecInsMtuteosinuramework.comowasp.orgdigital-forensics.sans.orgverizon.comDavidJ.BlancoGartnerResearch EricHart--CreditSuisse
QUIZ
EricHart--CreditSuisse
• NamethefirsttwoofficialintelligenceagenciesformedintheUS?
• InwhatyearwastheCIAfirstformed?• WhenwasGaryPowersshotdown?• WhichTCPportishackedmostoaen?• Windows8isa_____ringprocessmodeoperaMngsystem?
• Namethem• WhichofthefollowingismostcommonlyusedtodisableDEPin
Windows7orWindows8?• VirtualAlloc()• WriteProcessMemory()• VirtualProtect()• NtSetInformaMonProcess()
Thankyou!